Recently, our ZLab research team published a detailed analysis of the LooCipher ransomware, a new malware threat that spreads using weaponized Word document and abuses ToR network proxy services to reach its command and control servers.
Cybaze-Yoroi ZLab team further analyzed this threat and defeated it releasing a free decryptor for LooCipher victims.
According to Fortinet, the encryption algorithm used by the LooCipher ransomware is AES-128 ECB with a 16-bytes key. The key is generated in a random way, starting from an array of pre-defined characters:
Since AES is a symmetric-key algorithm, retrieving the key it is possible to restore all encrypted files. The key will be sent to the C2 over HTTP as GET parameter (“k=”), but obviously it is obfuscated.
Experts pointed out an interesting details revealed by Fortinet researchers, the obfuscation method is very trivial. It consists in a simple replacing of each key characters with a pre-defined double-digit number, belonging to the following set:
So, once retrieved the obfuscated key it is possible to reconstruct the original key and decrypt all files.
The crucial point is to extract the obfuscated key. As shown by Fortinet, this can be done in two ways:
- Intercepting the network traffic, when the malware sends the key to the C2. This method could be difficult because the key is sent only once, and it is necessary to capture the exact network traffic containing this request.
- Exploring the memory map of LooCipher process after the completion of the encryption. The entire path (including the key) used to contact the C2 is still stored in the process memory location. This could be complex to not experienced users.
As previously stated, Cybaze-Yoroi ZLab released an automatic tool that is able to extract the secret key and proceed with the decryption of all files previously encrypted by the LooCipher ransomware. The tool requires the LooCipher process to be active.
The tool is available on GitHub at the following URL: